Several vulnerabilities have been found in cacti, a frontend to rrdtoolfor monitoring systems and services. The Common Vulnerabilities andExposures project identifies the following problems:

CVE-2007-3112, CVE-2007-3113

It was discovered that cacti is prone to a denial of service via thegraph_height, graph_width, graph_start and graph_end parameters.This issue only affects the oldstable (etch) version of cacti.

CVE-2009-4032

It was discovered that cacti is prone to several cross-site scriptingattacks via different vectors.

CVE-2009-4112

It has been discovered that cacti allows authenticated administratorusers to gain access to the host system by executing arbitrary commandsvia the "Data Input Method" for the "Linux - Get Memory Usage" setting.

There is no fix for this issue at this stage. Upstream will implement awhitelist policy to only allow certain "safe" commands. For the moment,we recommend that such access is only given to trusted users and thatthe options "Data Input" and "User Administration" are otherwisedeactivated.

For the oldstable distribution (etch), these problems have been fixed inversion 0.8.6i-3.6.

For the stable distribution (lenny), this problem has been fixed inversion 0.8.7b-2.1+lenny1.

For the testing distribution (squeeze), this problem will be fixed soon.

For the unstable distribution (sid), this problem has been fixed inversion 0.8.7e-1.1.

We recommend that you upgrade your cacti packages.

Upgrade instructions- --------------------

wget url will fetch the file for youdpkg -i file.deb will install the referenced file.

If you are using the apt-get package manager, use the line forsources.list as given below: